The host machines in a datacenter execute multiple guest virtual machines (VMs). Each VM runs its own guest operating system. Containers, on the other hand, are self-contained execution environments that share the kernel of the host machine's operating system.
Today, there is a new trend of containerized applications that allow sandboxing processes and controlling their resource allocations. For instance, Docker has commoditized Linux capabilities and made it easy to be used by applications. However, containers are not completely secure today. The Linux container capabilities have not been designed with security in mind. Hence the applications running inside the containers are at risk. If some rogue application gains root access in a container it can gain root access to the VM.
Datacenters provide agentless security for guest VMs by partnering with various anti-virus and anti-malware vendors. The security applications require knowledge of file events and the context, such as the process and user information, associated with the events. Currently file introspection functionality is provided in the host machines at the VM level, which allows the security vendors to provide protection policies at the VM level.
However, when a VM is running multiple containers, there is no way of providing a granular container level policy. A container hides the applications running inside. There is currently no way to differentiate whether a file event is generated within a container or from a VM. In addition, the container specific context, such as the process and user information, associated with a file event is not available outside the containers.